Transcript MAEDS Fall 2014 - Microsoft Direct Access Work Foldersx

Microsoft DirectAccess
& Work Folders
NI CHO L A S A . HAY
MONR O E CO U NT Y ISD
NI CHO L A S.HAY@MO NR OEI SD. US
What is DirectAccess?
• The VPN that doesn’t require any configuration or user interaction to use. Once a
internet connection is initiated, the DirectAccess connects on the device.
• DirectAccess establishes IPsec tunnels from the client to the DirectAccess server,
and uses IPv6 to reach intranet resources or other DirectAccess clients. This
technology encapsulates the IPv6 traffic over IPv4 to be able to reach the intranet
over the Internet, which still (mostly) relies on IPv4 traffic. - Wikipedia
• Uses IPv6 to route traffic through the Direct Access connection. Don’t worry, you
don’t need to be an expert at IPv6.
• Requires Windows Server 2008R2 or newer
• Client Requirements
• Windows 7 Enterprise or Ultimate
• Windows 8 Enterprise
• This works based on DNS entries and servers you specify during setup.
What is DirectAccess?
• Windows 2008 R2 Server required IPv6 to be used end to end. This
was resolved with Windows 2012 with NAT64 to allow this to work
through an IPv4 network.
• A DirectAccess client can use one of several tunneling technologies,
depending on the configuration of the network the client is
connected to. The client can use 6to4, Teredo tunneling, or IP-HTTPS,
provided the server is configured correctly to be able to use them. For
example, a client that is connected to the Internet directly will use
6to4, but if it is inside a NATed network, it will use Teredo instead. In
addition, Windows Server 2012 provides two backward compatibility
services DNS64 and NAT64, which allows DirectAccess clients to
communicate with servers inside the corporate network even if those
servers are only capable of IPv4 networking. - Wikipedia
Why use DirectAccess?
• If a device leaves the network, you can give them an on premise
experience as long as they have a reliable network connection.
• Users can get mapped drives.
• Ability to push out GPO’s/policies at all times.
• Ability to give users applications that you don’t want to open up on
the outside world.
DirectAccess and Firewall
• IP-HTTPS is the default protocol of the “simple” DirectAccess wizard
in Windows Server 2012 if you choose the topology “behind an edge
device”.
• If you are doing an Edge deployment with a single server, like I did,
you can create a firewall rule to allow TCP/443 to this server. That is
all that is needed to get this to work in this deployment. There are 2
other deployment options you can select from when configuring.
Direct AccessServer Installation
• This guide below is what you can use to install DirectAccess. Many of
the slides about installation and configuring has been taken from this
resource.
• http://jackstromberg.com/2013/12/tutorial-configuring-direct-accesson-server-2012-r2/
• In Server Manager on 2012 R2, you need to click on Manage and Add
Role or Feature.
DirectAccess Server Installation
• Add Remote Access Role.
DirectAccess Server Installation
• Add Remote Access Role Configuration. Click on DirectAccess and
VPN (RAS) and follow through with defaults on the wizard.
DirectAccess Server Configuration
• In server Manager under Tools, click on Remote Access Management.
You can configure the warning on the quick deployment in Server
Manager.
DirectAccess Server Configuration
• Click on Run the Remote Access Setup Wizard.
DirectAccess Server Configuration
• Click Deploy DirectAccess Only.
DirectAccess Server Configuration
• Go through the steps in the wizard.
DirectAccess Server Configuration
• During Step 1, select Deploy full DirectAccess and you will need to
have an AD group that you will add computers to that will use the
DirectAccess feature.
DirectAccess Server Configuration
• There are two checkboxes you can check on step 1. If you check the
first option, it will restrict access to laptops based on a WMI query.
The other option to force tunneling will tunnel all traffic through the
DA connection, which I would not recommend.
DirectAccess Server Configuration
• You don’t need to put in a lot of resources to validate if the internal
network is online since this is only used to determine if you are online
with DirectAccess on the client. The connection name is what is
shown to users when they are or are not connected.
DirectAccess Server Configuration
• Step 2: configure Remote Access Server
• There are 3 options. I deployed
behind an edge device (with a
single network adapter). Select
the appropriate option for your
configuration.
• Follow the link in an earlier slide
about setting up a certificate on
this device for remote access.
DirectAccess Server Configuration
• Step 3: Infrastructure Servers
The network location server
is a internal only web server
that the client can connect
to and ensure it is reachable.
I did the second option and
used my wildcard certificate
for SSL on the IIS server.
DirectAccess Server Configuration
• Step 3: Infrastructure Servers
Use local name resolution if the
name does not exist in DNS or
DNS servers are unreachable
when the client computer is on
a private network
(recommended).
DirectAccess Server Configuration
• If you would like to remove a device from connecting via direct
access, you can add a name suffix of the hostname.domain.com and
under DNS Server Address, leave it blank. You can also add other
domain names here that you
want to go through the DA
connection by supply a DNS
IP address.
• Direct access works using DNS
servers. If you don’t have a DNS
entry for a server, you won’t be able
to connect to the device using DA,
i.e. network switches.
DirectAccess Server Configuration
• Step 3: Infrastructure Servers
Ensure all your local domain’s
suffixes are listed.
DirectAccess Server Configuration
• Step 4: See link from earlier
slide.
• When done, click
finish and apply
the remote access
configuration.
DirectAccess Server Configuration
• Next step on a computer in your domain that is running Windows 7 or
8 Enterprise, add the computer object to your DirectAccess group
and do a gpupdate and reboot. You should see if you are connected in
the network connections.
DA Client Network
• There are some tunnel adapters
created when you have a direct access
connection. With the options we
configured earlier in this presentation
it will only route traffic through the DA
that we specify and the other traffic
will go out the internet connection.
Direct Access Questions?
What are Work Folders?
• Think of Work Folders like OneDrive, Google Drive, or Dropbox besides the
data resides on your local file servers.
• Data can be encrypted, forcibly by IT. If you copy files from your Work
Folder to another location, the file is still encrypted and policies are
enforced. See this link on how to de-encrypt files
(http://windows.microsoft.com/en-us/windows-8/work-folders-faq).
• Staff and students can connect to corporate files from their home
computers that run Windows 7 or 8. Windows 7 requires an installation to
enable this feature. iPad and other devices support is coming in the future.
• Can enforce policies, such as lock screen on devices before user is able to
use Work Folders.
• This can integrate with existing Folder Redirection file server structure so
you can do both this and Work folders side by side.
Work Folders Compared to Other Products
Configuring Work Folders
• Installation Guide
• http://blogs.technet.com/b/canitpro/archive/2013/11/13/step-by-step-creating-awork-folders-test-lab-deployment-in-windows-server-2012-r2.aspx
• Requirements
• AD Server on network
• File Server running Windows 2012 R2 Server
• IIS server on Fire Server with SSL certificate
• Firewall TCP/443 opened with DNS entry on firewall if you open this up on the
outside world.
Configuring Work Folders
• In Server Manager, click on Add and Remove Roles and Features.
• Under Roles > File and Storage Services, check Work Folders or to do
this via Powershell, type Add-WindowsFeature FS-SyncShareService
Configuring Work Folders
• In Server Manager for File and Storage Services, click on New Sync
Share Wizard.
• There are 2 path options. The first
option is for an existing file share that
you may be already using with Folder
Redirection. Select the local path
option if this is a new one. See link
earlier about the permissions needed
for the root folder.
Configuring Work Folders
• Now you will need to configure the
folder structure.
• User Alias will work with existing folder
redirection or home folders.
• Sync only the following subfolder: By
default, all the folders/files under the
user folder will be synced to the devices.
This checkbox allows the admin to
specify a single subfolder to be synced to
the devices. For example, the user folder
might contain the following folders as
part of a Folder Redirection deployment:
Configuring Work Folders
• Towards the end is where you
can tell it to encrypt Work
Folders and require a lock
screen and require a password.
The password policy enforces the
following configuration on user PCs
and devices:
• Minimum password length of 6
• Autolock screen set to be 15 minutes
or less
• Maximum password retry of 10 or less
• If the device doesn’t meet the policy,
user will not be able to configure the
Work Folders
Configuring Work Folders
• By default, server will check for data changes every 5 minutes. You
can decrease this time by running this command (1 min in the
example below). This will increase server load time.
• Set-SyncServerSetting -MinimumChangeDetectionMins 1
• Also, be sure to set up DNS entries and firewall settings for TCP/443
to make this work if you are opening this outside your network.
Work Folders Client Configuration
• In Control Panel > System and Security > Work Folders click on Set up
Work Folders.
Work Folders Client Configuration
• User would type in their email
address and AD credentials. If client
computer is domain joined, it will
not prompt them to login.
Work Folders Client Configuration
• Before it is set up, the user will have
to consent to any security policies
you configured during the server
setup.
Work Folders Client Configuration
• When done, users will see a Work Folders icon in their File Manager window.
• When encryption is on, the file/folder will be colored green.
Work Folder Status
• If you go to Work Folders in
Control Panel, you can view any
errors and sync status of this.
What we did with Direct Access and Work
Folders
• We implemented these two features and are currently in the testing
phase.
• We have users that are not on campus and are in the local districts the
majority of the time.
• Enabling these two items will allow us to backup their files to the
server to handle any hardware failure on the computers and it will
allow us to protect the data by encrypting work related files.
• We did not open up the Work Folders on the firewall and the devices
will connect to these with the DirectAccess connection we configured
on the devices.
What we did with Direct Access and Work
Folders
• We set up folder redirection for Staff Desktop, My Documents,
Downloads, and IE Favorites folders to point to their user
profile\Work Folders\{Desktop,Docs,Downloads,IEFavs}
What we did with Direct Access and Work
Folders
• We set up folder redirection for Staff Desktop, My Documents,
Downloads, and IE Favorites folders to point to their user
profile\Work Folders\{Desktop,Docs,Downloads,IEFavs}
What we did with Direct Access and Work
Folders
• Even if you don’t implement Direct Access and you don’t want to
open up the File Server TCP/443 on the firewall, if users come back to
campus, the files will sync to the servers and this may still be useful.
• Files are copied to the local device and can be accessed even without
connecting to the server.
Work Folder Questions?